Google Details Turla's New STOCKSTAY Backdoor Used in Ukraine Espionage Attacks

Google Details Turla's New STOCKSTAY Backdoor Used in Ukraine Espionage Attacks Ravie LakshmananJun 26, 2026Cyber Espionage / Malware The Russian state-sponsored threat actor known as Turla has been attributed to a previously undocumented .NET backdoor called STOCKSTAY that has been deployed against government and military organizations in Ukraine, and entities that have an interest in Italian foreign policy. Describing the Windows backdoor as continually developed by the hacking group, Google Threat Intelligence Group (GTIG) said the cyber espionage tool shares significant code and functional overlaps with Kazuar, a staple implant put to use by the adversary since 2017. Suspected development activity of malware dates back to December 2022. "STOCKSTAY is a multi-component backdoor written in .NET, using the Windows Forms framework, which communicates with its command-and-control (C2) via a secure WebSocket connection, utilizing the open-source websocket-sharp library," GTIG said. "STOCKSTAY consists of several distinct components that communicate with one another via an inter-process communication (IPC) channel, based on the exchange of WM_COPYDATA messages." Evidence indicates that the implant was originally designed to mimic a stock market data viewing tool, before being adapted to masquerade as other harmless programs like PDF viewers and calculator utilities. The starting point is a downloader component codenamed STOCKSTAY.MARKETMAKER that installs and executes three additional modules - STOCKSTAY.STOCKBROKER, a proxy-aware tunneler that facilitates network communication capabilities to the wider STOCKSTAY suite by establishing a secure WebSocket connection to a specified remote server. STOCKSTAY.STOCKTRADER, the main backdoor that enables information gathering. STOCKSTAY.STOCKMARKET, an orchestrator or controller that parses the backdoor's configuration to set several options regarding the malware's execution, such as the WebSocket server, time interval, and the days it's not supposed to work. It also communicates with STOCKSTAY.STOCKBROKER to provide the server details and receive messages via the established WebSocket connection, as well as STOCKSTAY.STOCKTRADER to issue commands to be run on the compromised host. STOCKSTAY malware architecture Some of the support commands of STOCKSTAY.STOCKTRADER is listed below - Del, to delete the specified files Dir, to enumerate the specified directories Get, to fetch one or more specified files matching certain extensions MkDir, to make one or more directories RmDir, to delete the specified directories Image, to perform a screen capture of the device's screen MultyTask, to run a semi-colon-separated list of tasks at once Put, to upload a file to the device RegRead, to read a Windows Registry value RegDelete, to delete a Windows Registry value RegWrite, to set a Windows Registry value Run, to execute a new process Sysinfo, to gather system information UnpackArchive, to extract the specified ZIP file to its current directory Google said it identified a publicly accessible GitHub repository ("ChikenFresh/google-ai-labs-it") containing a Python implementation of the victim-facing STOCKSTAY WebSocket server controller that's responsible for handling inbound messages from a connected client and logging its IP address. "The inability for the server to decrypt inbound messages prevents introspection by platform operators, and further obfuscates the location of the threat actor’s dedicated infrastructure," GTIG noted. "This architecture somewhat resembles Turla's multi-hop Kazuar C2 infrastructure." Attacks distributing STOCKSTAY have consistently leveraged academic- or diplomatic-themed lures to target government and military organizations within Ukraine, with early versions of the backdoor used in attacks aimed at entities in Italy, the Netherlands, Poland, and Germany. That said, it's unknown which European entities were singled out in these attacks.  Timeline of STOCKSTAY observations In at least one instance observed in early 2025, the Turla actors are said to have employed a phishing email containing a malicious RDP file attachment that, when opened, sets up a connection between the victim's device and actor-controlled infrastructure, through which additional payloads, including STOCKSTAY, can be deployed. As recently as November 2025, an email phishing wave targeting Ukraine was found to deliver the implant via RAR archives that exploit CVE-2025-8088, a WinRAR vulnerability that has been exploited by a number of Russian hacking groups such as Sandworm, Gamaredon, and RomCom. Other campaigns have leveraged MSI installers (in one case hosted on GitHub) and RAR files containing an HTML Application (HTA) script, the latter of which is designed to execute a variant of STOCKSTAY.MARKETMAKER. The downloader then retrieves a ZIP archive containing the main STOCKSTAY components that's hosted on a compromised WordPress instance. One noteworthy aspect of the malware is that it has been employed by Turla at multiple distinct stages of their operations, one as a way to obtain initial access into environments that haven't been profiled previously and during post-exploitation following reconnaissance for execution on a specific host. "This configuration implies that, at this stage, the actor knows exactly which machine is being targeted, likely through existing accesses to the target environment," GTIG explained. This was seen within Ukrainian networks where STOCKSTAY was deployed toward the end of an operation which had previously relied heavily on the group's other tools, such as Kazuar." STOCKSTAY's overlaps with Kazuar stem from the similarities in how the responsibilities are delineated among different components. Kazuar's use of Kernel, Bridge, and Worker modules within Kazuar was extensively detailed by the Microsoft Threat Intelligence team last month. The separation of distinct role-based components in STOCKSTAY was first detected in a sample uploaded to VirusTotal in December 2023 from the Netherlands. These commonalities have raised the possibility that both STOCKSTAY and Kazuar may have been developed and maintained in-part by the same developer or team. "We believe that STOCKSTAY is being developed in KAZUAR’s image, with several design decisions likely spawning from the threat actor’s wealth of experience in conducting operations using this long-standing toolkit," Google said. "Both ecosystems rely heavily on .NET development, and have been observed using compromised WordPress sites during various stages of their operations." "We assess with low confidence that our observations of STOCKSTAY being deployed alongside KAZUAR during active operations may be a result of the threat actor seeking to test new capabilities in active operations, particularly where they may be expecting their existing access to be remediated in the near future." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  cyber espionage, Malware, Phishing, Ukraine, WinRAR ⚡ Top Stories This Week Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade U.S. Orders Anthropic to Suspend Fable 5 and Mythos 5 Access for Foreign Nationals New GreatXML Exploit Bypasses Windows BitLocker via Recovery Partition XML Files Microsoft Patches Record 206 Flaws, Including Three Zero-Days and Critical RCE Bugs Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit Anthropic Releases Claude Fable 5, Its Most Powerful AI Yet, With Cyber Safeguards Palo Alto Warns of Active Exploitation of PAN-OS GlobalProtect VPN Flaw ⚡ Weekly Recap: Chrome 0-Day, UniFi Exploits, macOS Stealers, VPN Flaw and More Researchers Build Self-Replicating AI Worm That Operates Entirely on Local, Open-Weight Models Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories Ivanti, Fortinet, and SAP Release Patches for Multiple Critical Vulnerabilities Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now ThreatsDay Bulletin: Worm Code Leaked, AI Agent Phished, Claude Code Patch + 28 New Stories Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code Load More ▼ ⭐ Featured Resources AI Can’t Stop Every Attack. Learn How Zero Trust Can Block What’s Unknown Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale [Watch Demo] See Which Security Gaps Attackers Could Exploit First Have You Outgrown Your MDR? 7 Warning Signs Every CISO Should Check